CONSTANZE DIETRICH - RIPE 77 · The Human Factors of Security Misconfigurations Let’s Fix the...
Transcript of CONSTANZE DIETRICH - RIPE 77 · The Human Factors of Security Misconfigurations Let’s Fix the...
The Human Factors of Security MisconfigurationsLet’s Fix the Weakest Link.
CONSTANZE DIETRICHLEXTA Consultants Group
[@WeddingTrash // [email protected]]
77th RIPE Meeting, Plenary Session, 16 October 2018
Outline
1. The issue: Security Misconfigurations
2. The method: Empirical Approach
3. The results: a. Who?
b. What?
c. Why?
d. What else?
4. The implications: A few Ideas
The Empirical Approach
(0. Presentation and Recruitment at SysAdmin Regular’s Table)
1. Interviews
2. Focus Group
(2.1. Presentation of the Preliminary Findings at RIPE 74)
3. Anonymous Online Survey
The Empirical Approach
(0. Presentation and Recruitment at Regular’s Table)
1. Interviews
2. Focus Group
(2.1. Presentation of the Preliminary Findings at RIPE 74)
3. Anonymous Online Survey
⇒ 221 valid Answers in 30 days
7
The Empirical Approach
(0. Presentation and Recruitment at SysAdmin Regular’s Table)
1. Interviews
2. Focus Group
(2.1. Presentation of the Preliminary Findings at RIPE 74)
3. Anonymous Online Survey
Who?
10 10
35
23
52
82
72
0
10
20
30
40
50
60
70
80
90
100
EDUCATION
10
75
83
43
9
1
0
10
20
30
40
50
60
70
80
90
100
AGE
5
2026
47
92
31
0
10
20
30
40
50
60
70
80
90
100
WORK EXPERIENCE
3,6
4,44,8
3,7
4,5
3,5 3,4 3,5
4,5
3,9
2,3
3,7
0,0
1,0
2,0
3,0
4,0
5,0
Emailaddresses of1,000 usersgot leaked.
Emailaddresses ofall 100,000users gotleaked.
Credit cardinformation of1000 usersgot leaked.
10employeesreport thedatabasedoes not
showyesterday'schanges.
The backupdoesn't
match theactual data.
100 userslose one hourof work done.
For one hour100
employeesare unable tologin to their
workstations.
100 usersreport theiraccounts
have beendisabled.
100 usersreport the
data they'reseeing isn't
theirs.
Work stationlogin data of
100employees is
stored in aphysicalfolder.
Thecorporate
mail serverfails to filter
certain spam.
10 non-operator
work stationshave
administratorrights.
ISSUE ASSESSMENTVARIANCE
What?
conf int avail riskSEVERITY
3,6
4,44,8
3,7
4,5
3,5 3,4 3,5
4,5
3,9
2,3
3,7
0
1
2
3
4
5
Emailaddresses of1,000 usersgot leaked.
Emailaddresses ofall 100,000users gotleaked.
Credit cardinformation of1000 usersgot leaked.
10employeesreport thedatabasedoes not
showyesterday'schanges.
The backupdoesn't
match theactual data.
100 userslose one hourof work done.
For one hour100
employeesare unable tologin to their
workstations.
100 usersreport theiraccounts
have beendisabled.
100 usersreport the
data they'reseeing isn't
theirs.
Work stationlogin data of
100employees is
stored in aphysicalfolder.
Thecorporate
mail serverfails to filter
certain spam.
10 non-operator
work stationshave
administratorrights.
ISSUE ASSESSMENTVARIANCE
What?
conf int avail riskSEVERITY
5 Critical; 4 High; 3 Medium; 2 Low; 1 Very low
3,6
4,44,8
3,7
4,5
3,5 3,4 3,5
4,5
3,9
2,3
3,7
0,0
1,0
2,0
3,0
4,0
5,0
Emailaddresses of1,000 usersgot leaked.
Emailaddresses ofall 100,000users gotleaked.
Credit cardinformation of1000 usersgot leaked.
10employeesreport thedatabasedoes not
showyesterday'schanges.
The backupdoesn't
match theactual data.
100 userslose one hourof work done.
For one hour100
employeesare unable tologin to their
workstations.
100 usersreport theiraccounts
have beendisabled.
100 usersreport the
data they'reseeing isn't
theirs.
Work stationlogin data of
100employees is
stored in aphysicalfolder.
Thecorporate
mail serverfails to filter
certain spam.
10 non-operator
work stationshave
administratorrights.
ISSUE ASSESSMENTVARIANCE
What?
conf int avail riskSEVERITY
How?
57%
42%
31%
24%
13% 13%9%
2%
0%
10%
20%
30%
40%
50%
60%
HOW DID YOU COME ACROSS THOSE SMs?(BASED ON 143 RESPONSES)
How?
57%
42%
31%
24%
13% 13%9%
2%
0%
10%
20%
30%
40%
50%
60%
HOW DID YOU COME ACROSS THOSE SM‘S?(BASED ON 143 RESPONSES)
How?
57%
42%
31%
24%
13% 13%9%
2%
0%
10%
20%
30%
40%
50%
60%
HOW DID YOU COME ACROSS THOSE SM‘S?(BASED ON 143 RESPONSES)
What else?
“One incident gets your boss to improve security.
Two incidents gets their boss to improve security.
Three.... You get it, don't you?”
− respondent #120
-2 -1,5 -1 -0,5 0 0,5 1 1,5 2
OPINIONS
What else?
In my company we keep up with security standards.
My direct supervisor knows the amount of work I'm doing.
The obligation to report security incidents is often not taken serious.
Operators in management allow for more reasonable security-related business decisions.
My direct supervisor understands what I'm actually doing.
The general priority of security rises after a security incident has happened.
The threat of bad press after a security incident is what companies fear most.
The discovery of a security misconfiguration made me more cautious regarding security.
Blameless postmortems help to detect essential issues in corporate procedures.
I feel responsible for pointing out security issues to peers.
I feel responsible for keeping my operations secure.
Software or hardware being certified means it is secure.
They taught me how to take care of misconfigured systems in school.
Agility is more important than security.
In my company we have a budget for mistakes.
I trust all the tools and equipment we're using.
Too many things are configurable.
What else?
-2 -1,5 -1 -0,5 0 0,5 1 1,5 2
OPINIONS
In my company we keep up with security standards.
My direct supervisor knows the amount of work I'm doing.
The obligation to report security incidents is often not taken serious.
Operators in management allow for more reasonable security-related business decisions.
My direct supervisor understands what I'm actually doing.
The general priority of security rises after a security incident has happened.
The threat of bad press after a security incident is what companies fear most.
The discovery of a security misconfiguration made me more cautious regarding security.
Blameless postmortems help to detect essential issues in corporate procedures.
I feel responsible for pointing out security issues to peers.
I feel responsible for keeping my operations secure.
Software or hardware being certified means it is secure.
They taught me how to take care of misconfigured systems in school.
Agility is more important than security.
In my company we have a budget for mistakes.
I trust all the tools and equipment we're using.
Too many things are configurable.
ISP / IT Non-IT / Gov
A few ideas
1. Automation.
2. Documentation.
3. Clear (shared) responsibilities.
4. Processes and procedures.
A few ideas
5. Troubleshooting courses for evolving operators.
“[In school] They only focus on installing and putting things
together. Unless you learn to become a car mechanic or so.
Where broken is the state you start with.”
− interviewee #11
A few ideas
6. Security incident “LARP” for management.
“Personally, I think some of them [the management]
should use type writers instead of computers.”
− respondent #54
A few ideas
7. Probability. Damage. Human Factors.
“Usually it’s a question of whether the risk assessment was
correct or needs adjustment, and following that sometimes
security measures are enhanced.”
− respondent #52
A few ideas
8. Honest error culture in companies.
“A slap on the hand and off you go.”
− respondent #210
The Human Factors of Security MisconfigurationsLet’s Fix the Weakest Link.
CONSTANZE DIETRICHLEXTA Consultants Group
[@WeddingTrash // [email protected]]
77th RIPE Meeting, Plenary Session, 16 October 2018